Chapter 14 Network Security

slurpslapoutΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

90 εμφανίσεις

Module 12

Network Security


12.1
-

Developing a Network Security Policy

12.2
-

Threats to Network Security

12.3
-

Implementing Security Measures

12.4
-

Appling Patches and Upgrades

12.5
-

Firewalls



Developing a Network Security Policy

Accessing Security Needs


There must always be a delicate
balance between security and
accessibility.


The more accessible a network is,
the less secure it is.


When it comes to a computer
network, how much security is
enough?


There are several factors to
consider:


The type of business in which
the company engages


The type of data stored on the
network


The management philosophy
of the organization

Acceptable Use Policy



The first step in creating a security policy for a
company network is to define an Acceptable Use
Policy (AUP).


An AUP tells the users what is acceptable and
allowed on the company network.


To view some examples of AUPs, visit these
websites:

Username and Password Standards



Usually the system administrator will define the naming convention for
the usernames on a network.


A common example is the first initial of the person's first name and
then the entire last name.








A complex username naming convention is not as important as
having a complex password standard.


When assigning passwords, the level of password control should
match the level of protection required
.

Rules for Network Access



A system administrator who assigns the proper
permissions on the share drives and directories
defines the rules for network access.



By assigning the proper security permissions on the
network, the system administrator should know who
has access to specific directories.



Proper maintenance by the system administrator will
be required to examine auditing logs of attempts that
have been made to access the network shares.


Policy for Disposal of Materials



Hardware, software, and data should never just be
thrown away.


There are strict regulations that should be followed to
control the disposal of computer components.


The system administrator is responsible for
developing a policy based on environmental and
safety guidelines for hardware that no longer works.


To view some examples of the disposal of materials
policies visit these websites:

Virus Protection Standards



Place proper filters and access lists on all the
incoming gateways to protect the network from
unwanted access.


To prevent viruses, e
-
mail policies also need to be
developed that state what may be sent and received.


These websites provide sample e
-
mail policy
standards:


Online Security Resources



Web
-
based resources offer critical information and
powerful tools that can be used to protect a network.
Some of the best online security resources are the NOS
manufacturer websites



To view examples of the online


security resources visit these


websites:

Server Room Security



To protect computing
resources, make sure that
there is a locked door and
four walls between the
server and the rest of the
area.


There are a variety of ways
to permit or deny access to
that area after it has been
secured.


The lock and key is a tried
and true method for
physically securing the
server environment.


This method works great if
there are a limited number of
people who need access.

Server Room Security


Using a combination locking mechanism is similar to a lock and
key. The advantages to this method:


Keys no longer have to be distributed


Key control lists no longer have to be maintained


Combinations can also be reset when needed


The one drawback to this model is that it is very easy to share a
combination with someone not authorized.


Card readers are the most common of the access control
mechanisms.


They work by reading a magnetic signature off an access card or
token.


A biometrics based access control system uses measurable
physical characteristics to authenticate users into an environment
(fingerprints, retinal patterns, or speech).


Anti
-
Theft Devices

for Server Hardware



A common security measures is the locking mechanism
included as part of the server itself.


Most high end servers enable the case to be locked, and in
many cases to lock the drives into the server chassis.


Almost all rack systems include locking front and back doors.


Removable media drive locks

are locking devices
.



These devices fit over the floppy drive, zip drive, and CD
-
ROM drive to prevent unauthorized access.


Some servers are shipped with holes in the cases, which are
predrilled for a padlock.


Alarms are the final add
-
on, and best suited for the shared
office environment.


Securing Removable Media


Security of removable media includes the following:


Removable disks, floppy, Zip, Jaz, LS120, CD
-
RW


Removable hard drives


Backup media, tapes


Several methods are used to ensure the security of
removable media:


Lock the media in an office


Place the media in a locked cabinet with strict key control


Place the media in a safe, or a fire
-
resistant safe


Engage a third
-
party firm to store the tapes in their secure
facility


Threats to Network Security


Overview: Internal/External Security



The Internet essentially
works by following rules
that are open to the public.


If one studies the rules
enough, one is bound to
find loopholes and
weaknesses that can be
exploited.


The number of individuals,
organizations, and
institutions connected to
the Internet are growing.


Connecting to the Internet
opens the door to network
intruders.

Outside Threats



Several outside sources can cause attacks
:


Hackers
-

the true hacker desires to dissect systems
and programs to see how they work.


Crackers
-

those that break in to computer systems to
tamper with, steal, or destroy data.


Virus
-

it causes some unexpected and usually
undesirable event.


Worms
-

a self
-
replicating virus that does not alter files
but resides in active memory and duplicates itself.


Trojan horse
-

is a program that presents itself as
another program to obtain information


Denial of Service (DoS)



A DoS attack occurs when the targeted system cannot
service legitimate network requests effectively.


As a result, the system has become overloaded by
illegitimate messages.


DoS attacks originate from one host or a group of
hosts.


When the attack comes from a coordinated group of
hosts, such attacks are called Distributed DoS
(DDoS).


A common DoS attack is to overload a target system
by sending more data than it can handle.

Denial of Service (DoS)


There are several specific
types of DoS attacks:



A buffer overflow attack is
designed to overwhelm the
software running on the
target system.


The so
-
called ping of death
is a well known buffer
overflow DoS attack.


The TCP synchronization
(SYN) attack exploits the
TCP protocol three
-
way
handshake.


The attacker sends a large
volume of TCP
synchronization requests
(SYN requests).


Distributed Denial of Service (DDoS)



Before the hacker can attack the
ultimate target, a "fleet" of
"zombies" (unsecure host with a
permanent Internet connection)
must be coordinated for the
attack.


The hacker takes advantage of
the zombie's lack of security.


The hacker breaks in to the
system either directly or through
an e
-
mail virus.


The goal of the break in or virus
is to install software on the
zombie system.


The hacker uses the zombies to
launch a DDoS attack on the
ultimate target.


Well Known Exploits



Each combination of NOS and
application software contains it’s
own unique set of vulnerabilities
and weaknesses.


Threats to network security
comes from individuals with
sophisticated tools.


Some of these individuals are
often called "script kiddies".


Script kiddy is a negative term
used to describe immature
individuals that use scripts,
software programs, or
techniques created by other,
more skilled crackers.


Trojan Horse Programs


A Trojan horse is a program that presents
itself as another program to obtain information.
For example, there is a Trojan horse that
emulates the system login screen.



When users type in their account name and
password, the information is stored or
transmitted to the originator of the Trojan
horse.


The username and password can then
be used to gain access to the system.


Inside Threats


Corporate espionage is the most
sophisticated type of internal
security threat.


Employees can be approached
by competing companies.


There are freelance corporate
spies who take assignments on a
contract basis.


Internal security breaches can
also be the result of rebellious
users who disagree with security
policies.


While not accidental, these
breaches are not designed to
cause harm.


Implementing Security Measures


File Encryption



File encryption is a way of
encrypting data stored on a
computer disk so that it is
unreadable to anyone but the
creator of the data.


Windows 2000 includes a file
encryption function.


Windows 9x and Windows NT
do not.


Third party encryption programs
are available for OSs
:


PC Guardian, Deltacrypt,
Winzap


IP Security



IPSec secures data at the
packet level.


It works at the network layer of
the OSI model.


The Authentication Header
(AH) enables verification of
the sender identity.


Encapsulating Security
Payload (ESP) ensures the
confidentiality of the data
itself.


IPSec can operate in either
the transport mode or the
tunnel mode.

Secure Sockets Layer (SSL)



SSL was developed by
Netscape to provide
security for its web
browser.


It uses public and
private key encryption
.


SSL operates at the
application layer and
must be supported by
the user application.

E
-
mail Security



E
-
mail users think they have
the same expectation of
privacy when sending e
-
mail
as they do when sending a
letter through the postal
service.


A more accurate expectation
would be to assume that the e
-
mail is like a postcard that can
be read by anyone who
handles it during its journey
from sender to recipient.


They often travel through
dozens of nodes or servers on
their way from sender to
recipient.

Public/Private Key Encryption



One key is published and is widely available.


The other key is private and known only to the user.


Both keys are required to complete the secure
communication.


This type of encryption, is also referred to as
asymmetric encryption.



With this type of encryption, each user has both a
public and a private key, called a key pair.


Appling Patches and Upgrades


Finding Patches and Upgrades



Patches are fixes to existing software code.


A NOS manufacturer typically provides security
patches
.


Microsoft now includes the option to use software called
Windows Update with its operating systems.


Selecting Patches and Upgrades



Software makers recommend installing software security
patches immediately.


This is done to reduce exposure to known vulnerabilities.


Software venders release security updates as soon as they
are available.


Understanding the effect on the system will help determine
if an update, fix, or patch is necessary.

Applying Patches and Upgrades



Periodically, NOS vendors issue updates to their network
operating systems. These updates have various names:



Microsoft Service Packs


IBM Fixpacs


Novell Patches


These updates usually fix bugs or close security holes that
have been found in the released version of the OS.


Download the updates from the network operating system
vendor’s website.

Firewalls


Introduction to Firewalls and Proxies



A proxy is software that
interacts with outside
networks on behalf of a
client host.


Typically, client hosts on a
secure LAN request a web
page from a server running
proxy services.


The proxy server then goes
out on the Internet to
retrieve the web page.


The web page is then copied
to the proxy server, this is
referred to as caching.


Introduction to Firewalls and Proxies


Administrators use Network

Address Translation (NAT) to
alter the source address of
packets originating from a
secure LAN.


This allows secure LANs to be
addressed using private IP
addresses.


Private IP addresses are not
routed on the Internet.


An outside hacker cannot
directly reach a computer with a
private address.


Some experts make a
distinction between NAT and a
firewall. Others look at NAT as
part of a comprehensive firewall
solution.


Packet Filtering



The most basic firewall
solution is an IP packet filter.


To configure a packet filter, a
network administrator must
define the rules that describe
how to handle specified
packets.


The most basic firewall
solution is an IP packet filter.


To configure a packet filter, a
network administrator must
define the rules that describe
how to handle specified
packets.


Packet Filtering


Both TCP and UDP use port numbers to address specific
applications running on a host.


Both TCP and UDP use port numbers to address specific
applications running on a host.


Firewall software must guess at what connectionless traffic
is invited and what connectionless traffic is not.


The most comprehensive form of packet filtering examines
layer 3 and 4 headers and the layer 7 application data as
well.


Layer 7 firewalls look for patterns in the payload of the
packet.


This is done in an effort to determine what application is
being used, such as HTTP, FTP, and so on.


Firewall Placement



A boundary router connects
the enterprise LAN to its
ISP or the Internet.


The boundary router should
only allow HTTP, FTP, mail,
and DNS related traffic to
the DMZ.


The DMZ is designed to
keep the inside network
clean.


The NOS servers in the
DMZ should be tightly
configured.

Common Firewall Solutions



The PIX Firewall 515 uses TFTP
for image download and upgrade.


It has a low profile design, 128,000
simultaneous sessions, and 170
Mbps thru
-
put.


The PIX Firewall 520 uses a 3.5
-
inch floppy disk drive to load the
image and upgrade.


It has an enterprise chassis
design, 256,000 simultaneous
sessions, and 240 Mbps thru
-
put.


The PIX Firewall is secure right out
of the box.


Default settings allow all
connections from the inside
interface access to the outside
interface.


Common Firewall Solutions


The Cisco IOS Firewall
Feature Set provides
stateful packet filtering.



Another firewall solution is
a UNIX host.


The UNIX host serves as
a router, running packet
filtering software such as
ipfw, and/or NAT.


Home users have a
variety of firewall options
available as well.

Using an NOS as a Firewall



In high
-
traffic environments, a specialized packet
filtering and NAT solution is recommended.


A device such as a router or firewall appliance is
designed to switch packets and manipulate them
quickly.


A NOS running on ordinary hardware may be able to
do the job.


However, it is not without adding latency and overhead
on the server.


In low traffic environments, such as small offices and
home networks, a NOS firewall solution is a good
choice.